[SOLVED] openldap client fails to connect ldap server 'ldap_bind: Can't contact LDAP server'
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
openldap client fails to connect ldap server 'ldap_bind: Can't contact LDAP server'
Just installed openldap server on a VM CentOS called 'ldapsrv', it works fine, ldapsearch returns all ldap information.
Installed openldap client on another VM CentOS called 'ldapclient1', configured it with most basic configuration, no ssl/tls etc. but ldapsearch returns error:
[root@ldapclient1 ~]# ldapsearch -x -b "dc=jacklan,dc=com"
ldap_bind: Can't contact LDAP server (-1)
ldapsrv is pingable:
[root@ldapclient1 ~]# ping ldapsrv
PING ldapsrv.jacklan.com (192.168.1.130) 56(84) bytes of data.
64 bytes from ldapsrv.jacklan.com (192.168.1.130): icmp_seq=1 ttl=64 time=2.66 ms
[root@ldapsrv]# cat /etc/openldap/ldap.conf URI ldap://192.168.1.130/ BASE dc=jacklan,dc=com TLS_CACERTDIR /etc/openldap/cacerts
[root@ldapsrv]# cat /etc/ldap.conf # The distinguished name of the search base. base dc=jacklan,dc=com . uri ldap://192.168.1.130/ ssl no tls_cacertdir /etc/openldap/cacerts
It depends on how the firewall is configured. On my servers I block all incoming and outgoing ports. I then specify the ports for incoming and outgoing traffic.
If the client is not configured to allow outgoing traffic with a destination port of 389, the packet will not leave the machine.
It is often useful to allow new packets out with a destination port of 389 and only established packets in. That way, only the client can initiate the exchange of ldap information.
On the other hand, some firewalls are configured to allow all new packets out and only established packets back in. With this configuration there is no need to specify that port 389 should be open on the client.
Here are some output:
from client to server ping/telnet
Quote:
[root@ldapclient1 ~]# ping 192.168.1.130
PING 192.168.1.130 (192.168.1.130) 56(84) bytes of data.
64 bytes from 192.168.1.130: icmp_seq=1 ttl=64 time=0.346 ms
64 bytes from 192.168.1.130: icmp_seq=2 ttl=64 time=0.350 ms
[root@ldapclient1 ~]# telnet 192.168.1.130:389
192.168.1.130:389/telnet: Name or service not known
[root@ldapclient1 ~]# telnet 192.168.1.130
Trying 192.168.1.130...
telnet: connect to address 192.168.1.130: No route to host
telnet: Unable to connect to remote host: No route to host
Output of /etc/openldap/slapd.conf from ldapsrv:
Quote:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
database bdb
suffix "dc=jacklan,dc=com"
rootdn "cn=Manager,dc=jacklan,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw {SSHA}ferIBvelONB8bU0+3ukqtNUDYLCaIhaA
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
Output of /etc/openldap/ldap.conf from ldapclient1:
found something interesting.
jacklan.com is a faked domain that I only use within my VMware network for testing ldap. So I added ldapsrv.jacklan.com to /etc/hosts file of ldapclient machine, /etc/nsswitch.conf use 'files dns' for 'hosts'.
From ldapclient pinging ldapsrv returns correct IP address, however, nslookup gave different IP for ldapsrc??
Quote:
[root@ldapclient1 ~]# netstat -nvr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
[root@ldapclient1 ~]# ping ldapsrv
PING ldapsrv.jacklan.com (192.168.1.130) 56(84) bytes of data.
64 bytes from ldapsrv.jacklan.com (192.168.1.130): icmp_seq=1 ttl=64 time=0.432 ms
64 bytes from ldapsrv.jacklan.com (192.168.1.130): icmp_seq=2 ttl=64 time=0.387 ms
[root@ldapclient1 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 ldapclient1.jacklan.com ldapclient1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.1.130 ldapsrv.jacklan.com ldapsrv
Even that seems be a bit wired, but should not cause my problem here because in the client /etc/openldap/ldap.conf file, it use IP address instead for hostname, right?
Ok, problem solved. Indeed it's firewall problem. Port 389 in ldapsrv was not listed in the firewall trusted zone, or not opened!!
I thought ldapsrv is listening this port meaning it's open, maybe not the same. I can now successfully run ldapsearch from the client machine.
Thanks for all the great help!!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.